CVE-2026-21015 Overview
CVE-2026-21015 is an information disclosure vulnerability in the Samsung FactoryCamera application on Samsung Android devices. The flaw stems from incorrect default permissions [CWE-276] that allow a local attacker with low privileges to access a unique device identifier. Samsung addressed the issue in the SMR May-2026 Release 1 security maintenance update.
The vulnerability affects Samsung Android versions 14.0, 15.0, and 16.0 across all SMR releases prior to May 2026. Exploitation requires local access and a low-privilege context, but does not require user interaction. Confidentiality impact is high, while integrity and availability are unaffected.
Critical Impact
A local low-privileged application can read a unique device identifier exposed by FactoryCamera, enabling persistent device tracking and fingerprinting across application boundaries.
Affected Products
- Samsung Android 14.0 (all SMR releases prior to SMR May-2026 Release 1)
- Samsung Android 15.0 (all SMR releases prior to SMR May-2026 Release 1)
- Samsung Android 16.0 (all SMR releases prior to SMR May-2026 Release 1)
Discovery Timeline
- 2026-05-13 - CVE-2026-21015 published to NVD
- 2026-05-13 - Last updated in NVD database
- May 2026 - Samsung releases fix in SMR May-2026 Release 1
Technical Details for CVE-2026-21015
Vulnerability Analysis
The FactoryCamera application ships with incorrect default permissions on a component or data path that exposes a unique device identifier. Android applications declare permission requirements in their manifest, and components without proper permission gating become accessible to other installed applications on the device.
In this case, FactoryCamera exposes a unique identifier without enforcing an appropriate signature- or system-level permission. Any local application running on the device can query the exposed surface and retrieve the identifier without obtaining user consent or elevated privileges.
Unique device identifiers are sensitive because they persist across application installations and reset operations on user-controllable data. Access to such an identifier enables silent cross-app correlation, advertising fingerprinting, and tracking workflows that bypass Android's per-app identifier isolation model.
Root Cause
The root cause is classified under [CWE-276] Incorrect Default Permissions. FactoryCamera registers a component, file, or provider with permissions that are more permissive than required. The platform-level fix in SMR May-2026 Release 1 tightens these defaults so that only authorized callers can reach the identifier.
Attack Vector
Exploitation requires a malicious or compromised local application on the Samsung device. The attacker app does not need user interaction once installed and operates with low privileges already granted at install time. There is no network-reachable exposure, and the bug does not enable code execution or modification of data.
For technical details refer to the Samsung Mobile Security Update advisory.
Detection Methods for CVE-2026-21015
Indicators of Compromise
- Installed applications querying FactoryCamera content providers, exported activities, or services without a documented business reason.
- Logcat entries showing inter-process calls to FactoryCamera components originating from non-system UIDs.
- Mobile threat defense telemetry flagging applications that read device identifiers shortly after install.
Detection Strategies
- Inventory Samsung Android fleet build numbers and flag devices on SMR releases earlier than May-2026 R1.
- Monitor mobile application behavior for processes interacting with FactoryCamera package components.
- Apply mobile threat defense policies that detect side-loaded or low-reputation apps performing identifier harvesting.
Monitoring Recommendations
- Centralize Android security patch level reporting through your MDM or UEM platform for compliance visibility.
- Alert on devices that fall behind the current Samsung SMR baseline for more than one monthly cycle.
- Review installed application permission grants on enrolled devices and restrict apps requesting broad identifier access.
How to Mitigate CVE-2026-21015
Immediate Actions Required
- Push Samsung's SMR May-2026 Release 1 update to all managed Samsung Android 14.0, 15.0, and 16.0 devices through your MDM solution.
- Enforce a minimum security patch level policy that blocks corporate resource access for devices on pre-May 2026 SMR builds.
- Audit installed applications on managed devices and remove untrusted or unnecessary third-party apps.
Patch Information
Samsung released the fix as part of the SMR May-2026 Release 1 maintenance update. Apply the latest firmware via Settings > Software update or distribute the update through your enterprise mobility management platform. Refer to the Samsung Mobile Security Update bulletin for device-specific availability.
Workarounds
- Restrict installation of non-Play-Store applications using MDM policy to reduce the local attacker surface.
- Disable or restrict the FactoryCamera application on devices where it is not required for operational use.
- Require corporate devices to enroll in conditional access that validates the Android security patch level before granting access.
# Example MDM compliance rule: enforce minimum Samsung patch level
# Pseudocode for an EMM compliance policy
compliance_rule:
platform: android
manufacturer: samsung
min_security_patch_level: "2026-05-01"
action_on_violation: block_corporate_access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
